It may seem obvious when said, but knowing exactly how your code works and what it is doing, especially with fringe cases, is a very important aspect of security. When an attacker is able to determine a bug or "feature" that your code has that you are unaware of, it can often be exploited to varying degrees of maliciousness. The well-known website Spotify learned this lesson first-hand when an exploit involving the way they processed usernames was found.
The key mistake made was found to be allowing users to have usernames with any valid Unicode character while having the actual stored username be a more restricted version. The username that was actually stored and checked against for internal purposes was processed with the string.lower() method in Python, which apparently maps a large number of Unicode characters to the 26-character space of lowercase English ascii characters. As a result, it was possible for many different possible usernames to become the exact same username when processed by the lower() method. The attack itself allowed user accounts to be hijacked using this information.
Existing Spotify accounts could be hijacked by signing up for a new account with a username that maps to an existing username when processed by lower(), then submitting a password reset request. The new account creation process would associate the new email address as a change of email address to the old account and thus send the password reset request to that address instead of the one belonging to the original user. Once the password is reset one can log in as the original user with the new password.
While this is a more fringe case of not knowing exactly what code is doing going wrong--which also arguably makes it a more interesting one--it does show the importance of verifying code behavior as well as user inputs for security purposes. Luckily for Spotify the user who discovered this exploit reported it to them quickly, but the results could have been much worse under different circumstances.
No comments:
Post a Comment